> > > I just read a post in comp.security.unix entitiled "widespread security hole > in exporting of filesystems" which claims there are ways to break into a > system that has filesystems exported to itself. > > Does anyone know anything about this? The post said "the trick is to make > RPC requests via the portmapper, in such a way that they appear to the mount > daemon to be coming from within the host itself." > > The post mentions a program that is "out there" to exploit this hole. If > anyone has any knowledge of this, could you please post instructions on how > to test for this. > Yes, if you export to yourself and your nfs isnt set up securely, then you can call the portmapper command to do the mount call. Thus , it appears the mount command came from localhost. That gets the filehandle to the intruder and bingo for him. To take corrective measures, dont export to yourself and/or turn on priviledge port checking within nfs. Yes, this hole is easily exploited and dont think that most intruders arent aware of it. I think its a known hole back in 1991. -- Christopher William Klaus <cklaus@shadow.net> <iss@shadow.net> Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Penetration Analysis of Networks Atlanta,GA 30350-2430. (404)998-5871.